2/29/2008 @ 6:00AM

The No-Tech Hacker

Hackers have a lot of fancy names for the technical exploits they use to gain access to a company’s networks: cross-site scripting, buffer overflows or the particularly evil-sounding SQL injection, to name a few. But Johnny Long prefers a simpler entry point for data theft: the emergency exit door.

“By law, employees have to be able to leave a building without showing credentials,” Long says. “So the way out is often the easiest way in.”

Case in point: Tasked with stealing data from an ultra-secure building outfitted with proximity card readers, Long opted for an old-fashioned approach. Instead of looking for vulnerabilities in the company’s networks or trying to hack the card readers at the building’s entrances, he and another hacker shimmied a wet washcloth on a hanger through a thin gap in one of its exits. Flopping the washcloth around, they triggered a touch-sensitive metal plate that opened the door and gave them free roam of the building. “We defeated millions of dollars of security with a piece of wire and a washcloth,” Long recalls, gleefully.

In other instances, Long has joined employees on a smoke break, chatted with them casually, and then followed them into the building. Sometimes stealing data is as simple as wearing a convincing hard hat or walking onto a loading dock, before accessing an unsecured computer or photocopying a few sensitive documents and strolling out the front door.

Fortunately for his victims, the companies that Long invades are also his customers. As a penetration tester for
Computer Sciences Corporation
security team, Long is paid to probe weak points in a company’s information security. His job as a “white-hat” hacker is to think like the bad guys–the more evil genius he can summon up, the better.

And if tactics like tailgating an employee through a backdoor or picking a lock with a washcloth don’t seem like real hacking, Long would suggest fine-tuning the word’s definition. To bring that other side of hacking to the public’s attention, he wrote a manual cum manifesto titled No Tech Hacking, which was published this week. The book’s goal, aside from pumping Long’s already significant notoriety in the world of cyberpunks and script kiddies, is to show that hacking isn’t always the realm of high technology.

Instead, he argues, it’s still rooted in old-fashioned observation and resourcefulness. To obtain a corporate password, for instance, a hacker can pose as an employee and call a company’s help desk or simply look over an employee’s shoulder while he’s on his laptop at a local cafe. To access a network, Long will photograph an employee, fake his badge or even his uniform, and slip past the front door security to find an unguarded terminal.

That kind of no-tech hacking isn’t a new idea, but it’s one worth remembering, says Jeff Moss, the organizer of cyber-security conferences Black Hat and Defcon. “There’s a tendency in our industry to focus on the latest and most interesting attack,” he says. “But Johnny is trying to show that the simple security problems that were spotted a long time ago haven’t gone away, and the bad guys will use whatever’s available.”

That’s a lesson that the security industry should heed: The average cost of a data breach rose to more than $6.3 million last year, up from $4.8 million in 2006, according to research by the Ponemon Institute. And physical security played a growing role: Lost or stolen equipment accounted for about half of those breaches last year.

With those kinds of costs at stake, hiring hackers like Long isn’t cheap: For basic vulnerability assessment, CSC, which is based in El Segundo, Calif., charges a minimum of $35,000. For complete penetration testing, which often involves obtaining specific files to demonstrate a firm’s security flaws, the team can charge as much as $90,000.

But for the most in-depth hacking missions against well-protected companies, Long and the rest of CSC’s security team are also rewarded with the illicit thrill of intrusion. “When you get that James Bond feeling of espionage, it’s a huge adrenaline rush,” he says. Long admits that the night before a major case, his team often watches the geek thriller Sneakers. “Penetration tests that involve a human element are so much more exciting than sitting in front of a computer screen, poking through a company’s firewall.”

As a kid in suburban Maryland during the 1980s, Long’s hacking career began under less sensational circumstances. Surfing the pre-Web Internet, he browsed bulletin boards looking for pirated copies of video games. To pay for the growing long distance bills from his modem, he started charging his Web surfing to calling card numbers that he found on semi-legal sites. And when those phone-card sites started forcing users to pay for access, he found ways to circumvent the sites’ security measures.

Soon, the challenge of bypassing firewalls and accessing distant networks was more interesting than any video game. “I would be on my Commodore 64, talking to a Unix system somewhere far away,” Long says. “It was like traveling–the fascination of being in a place with a different culture and speaking a different language.”

When he graduated from high school, Long skipped college and got a job at a local university as a systems administrator. Before he was 20, he moved on to a major health insurance provider that was in the midst of bringing its systems onto the Internet. Long wrote up a report detailing all the company’s security vulnerabilities. It was ignored by his superiors. Feeling demoralized, he eventually left the company and landed at CSC’s offices in Falls Church, Va.

At CSC, Long found his niche. In 1998, for instance, he suggested a simple social engineering method to gain access to a company’s server that wasn’t attached to the Internet. Long tracked down the name of the company’s technical contact person on the Web, and made a phone call to its help desk pretending to be that person. The help desk’s staff switched on the server’s modem, and CSC’s team was inside. “Once I connected with the security team, I brought some of the perspective that the security community was just starting to get then, a street-level hacker mentality,” Long says.

From there, CSC began to experiment with the physical security hacks it now uses today, and Long began developing a set of techniques he calls “Google Hacking”: using simple search engine queries to find hackable vulnerabilities in Web sites. (See: “Google: A Hacker’s Best Friend“) Today CSC has one of the security industry’s better-known penetration testing teams, and Long is a celebrity in hacker circles.

Since he first became a professional penetration tester, cyber-security has evolved dramatically, Long says. No Tech Hacking is partly about the latest social engineering methods used by a new generation of cyber-criminals. Instead of searching for holes in companies’ increasingly tight security perimeters, their attacks are about drawing the target out, bringing employees to a compromised Web site that infects their network, or convincing an administrator to give up his or her password in an e-mail.

But the other lesson of the book, Long says, is that some things haven’t changed. “No matter how savvy we think we are, the oldest attacks are still possible, and they’re still prevalent,” he says. “The smartest systems are still falling for simple tricks, and that’s what keeps us in business.”